Could not reproduce your exact error in a test harness containing the exact sample code you provided so there may be an issue outside of what you have shown.

However, there’s an error (incompleteness) in the logic you presented that may or may not be the cause of the overall issues you’re seeing, but needs to be fixed nonethless.

The section:

if (err) {
// redirect to custom login page
} else { /* ... */ }

should instead be:

// authResult.error could mean the user does not have an active session
// so it should also require a redirect to the login page
if (err || authResult.error) {
// redirect to custom login page
} else { /* ... */ }

Realize that line 17, redirecturi, need the full address to work correctly. Now for renewAuth, I am always getting login_required. Found a github using the similar logic that I am at: https://github.com/rochdev/auth0-nonce-bug

They have a comment of the following: “Configure an identity provider with a client ID and client secret in Auth0 (otherwise you will always get login_required)”

Seems like it’s possible that I do not have this step set up correctly. What does this statement actually mean?

The login_required is an expected situation that means there was no previously authenticated session for the user. In order for silent authentication to succeed the user must have previously authenticated in a way that generated an authenticated session; if the user went through the hosted login page then it’s highly likely that the session was generated so renewing auth using the same browser would be able to leverage that session and succeed. In relation to the sentence in the linked repo, I’m honestly not sure what they wanted to mean with that.